[PATCH] ksmbd-tools: add 'server smb encrypt' parameter in ksmbd.conf

Namjae Jeon <linkinjeon@xxxxxxxxxx> · Sat, 29 Oct 2022 00:00:49 +0900

Add 'server smb encrypt' parameter in ksmbd.conf to control data
encryption mode with 3 options(off, desired, required).

- Setting it to off globally will completely disable the encryption feature
for all connections.
- Setting it to desired on a share will turn on data encryption for this
share for clients that support encryption.
- Setting it to required on a share will enforce data encryption for
  this share. i.e. clients that do not support encryption will be denied
access to the share

Signed-off-by: Namjae Jeon <linkinjeon@xxxxxxxxxx>
---
 include/linux/ksmbd_server.h |  1 +
 ksmbd.conf.5.in              |  9 ++++++---
 tools/config_parser.c        | 12 +++++++++---
 3 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/include/linux/ksmbd_server.h b/include/linux/ksmbd_server.h
index 643e2cd..8ec004f 100644
--- a/include/linux/ksmbd_server.h
+++ b/include/linux/ksmbd_server.h
@@ -28,6 +28,7 @@ struct ksmbd_heartbeat {
 #define KSMBD_GLOBAL_FLAG_SMB2_LEASES		(1 << 0)
 #define KSMBD_GLOBAL_FLAG_SMB3_ENCRYPTION	(1 << 1)
 #define KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL	(1 << 2)
+#define KSMBD_GLOBAL_FLAG_SMB3_ENCRYPTION_OFF	(1 << 3)
 
 struct ksmbd_startup_request {
 	__u32	flags;
diff --git a/ksmbd.conf.5.in b/ksmbd.conf.5.in
index 90bdfc0..fe4174c 100644
--- a/ksmbd.conf.5.in
+++ b/ksmbd.conf.5.in
@@ -280,10 +280,13 @@ Maximum length that may be used in a SMB2 WRITE request sent by a client.
 
 Default: \fBsmb2 max write = 4MB\fR \" SMB3_DEFAULT_IOSIZE
 .TP
-\fBsmb3 encryption\fR (G)
-Use of SMB3 encryption is allowed.
+\fBserver smb encrypt\fR (G)
+A remote client is allowed or required to use SMB encryption.
+Setting it to \fBoff\fR globally will completely disable the encryption feature for all connections.
+Setting it to \fBdesired\fR on a share will turn on data encryption for this share for clients that support encryption.
+Setting it to \fBrequired\fR on a share will enforce data encryption for this share. i.e. clients that do not support encryption will be denied access to the share.
 
-Default: \fBsmb3 encryption = no\fR
+Default: \fBserver smb encrypt = desired\fR
 .TP
 \fBsmbd max io size\fR (G)
 Maximum read/write size of SMB-Direct.
diff --git a/tools/config_parser.c b/tools/config_parser.c
index 7df0606..9b731e3 100644
--- a/tools/config_parser.c
+++ b/tools/config_parser.c
@@ -509,11 +509,17 @@ static gboolean global_group_kv(gpointer _k, gpointer _v, gpointer user_data)
 		return TRUE;
 	}
 
-	if (!cp_key_cmp(_k, "smb3 encryption")) {
-		if (cp_get_group_kv_bool(_v))
+	if (!cp_key_cmp(_k, "server smb encrypt")) {
+		if (!cp_key_cmp(_v, "required")) {
 			global_conf.flags |= KSMBD_GLOBAL_FLAG_SMB3_ENCRYPTION;
-		else
+			global_conf.flags &= ~KSMBD_GLOBAL_FLAG_SMB3_ENCRYPTION_OFF;
+		} else if (!cp_key_cmp(_v, "off")) {
+			global_conf.flags |= KSMBD_GLOBAL_FLAG_SMB3_ENCRYPTION_OFF;
 			global_conf.flags &= ~KSMBD_GLOBAL_FLAG_SMB3_ENCRYPTION;
+		} else if (!cp_key_cmp(_v, "desired")) {
+			global_conf.flags &= ~KSMBD_GLOBAL_FLAG_SMB3_ENCRYPTION;
+			global_conf.flags &= ~KSMBD_GLOBAL_FLAG_SMB3_ENCRYPTION_OFF;
+		}
 
 		return TRUE;
 	}
-- 
2.25.1







